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Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
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VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 
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Software  Security  Knowledge  about 
Applications  Weaknesses 

Software  Security  Knowledge  about 
Attack  Patterns  Against  Applications 

Training  in  Software  Security 

Software  Security  Practice 

Supporting  Capabilities 

Assurance  Cases 

Secure  Development  &  Secure 
Operations 
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Today  Everything’s  Connected 


Your  System  is 
attackable... 
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When  this  Other  System  gets  subverted 
through  an  un-patched  vulnerability,  a 
mis-configuration,  or  an  application 
weakness... 


The  Software  Supply  Chain 


/  Prnnnm 

Legacy 

Software 

/  i  i  uyi  cm 1 1 

V  Office 

? 

“Scope  of  Supplier  Expansion  and  Foreign  Involvement”  graphic  in  DACS  www.softwaretechnews.com  Secure  Software 
Engineering,  July  2005  article  “Software  Development  Security:  A  Risk  Management  Perspective”  synopsis  of  May  2004 
GAO-04-678  report  “Defense  Acquisition:  Knowledge  of  Software  Suppliers  Needed  to  Manage  Risks” 


What  Is  an  Assurance  Case? 
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History  of  Assurance  Cases 


•  Originally  Only  Safety  Cases 

-  Aerospace 

-  Railways,  automated  passenger 

-  Nuclear  power 

-  Off-shore  oil 

-  Defense 

•  Security  Cases 

-  Use  compliance  rules  more  than  an  assurance 
case 

•  Cases  for  Business  Critical  Systems 

Making 
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Definition  of  Safety  Case 


•  From  Adelard’s  ASCE  manual: 

“A  documented  body  of  evidence  that  provides  a 
convincing  and  valid  argument  that  a  system  is 
adequately  safe  for  a  given  application  in  a  given 
environment.  ” 
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Definition  of  Assurance  Case 


•  Generalizing  that  definition 

A  documented  body  of  evidence  that  provides  a 
convincing  and  valid  argument  that  a  specified  set  of 
critical  claims  regarding  a  system’s  properties  are 
adequately  justified  for  a  given  application  in  a  given 
environment. 
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Structured  Assurance  Cases 


•  Structure  is  required  to  make  the  creation,  sharing, 
analysis,  maintenance  and  automation  of  such  an 
assurance  case  practical 

•  Structured  Assurance  Cases  are  composed  of 
structured  sets  of  Claims,  Arguments  and  Evidence 

-  A  Claim  is  a  proposition  to  be  assured  about 
the  system  of  concern 

-  An  Argument  is  a  reasoning  of  why  a  claim  is 
true 

-  Evidence  is  either  a  fact,  a  datum,  an  object,  a 
claim  or  [recursively]  an  assurance  case 
which  supports  an  Argument  against  a  Claim 
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Extremely  Simplified  Overview  of 
Structured  Assurance  Case  Content 


Claim  = 

assertion  to  be  proven 


Argument  = 
reasoning  supporting 
a  claim 


Evidence  = 
data  supporting  an 
^Argument 
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Need  for  Standards 

•  While  several  different  notations  exist  for  safety  cases  and 
generalized  assurance  cases  no  widely  accepted  standard 
currently  exists  for  specifying  structured  assurance  cases 
within  a  systems  &  software  assurance  domain 

•  Standards  are  needed  before  structured  assurance  cases 
can  be  widely  leveraged  or  made  practical  through 
automated  tooling 

•  Coordinated  efforts  are  currently  underway  in  the 
International  Standards  Organization  (ISO)  and  the  Object 
Management  Group  (OMG)  to  develop  these  needed 
standards 

-  ISO  15026  Part  2  (currently  published)  is  a  very 
simple  high-level  standard  outlining  the  context  and 
basic  requirements  for  structured  assurance  cases 

-  The  OMG  SACM  (under  development)  and 
supporting  OMG  standards  are  targeted  at  providing 
at  automatable  level  of  detail  for  structured 

su^  assurance  case  specification 
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ISO/IEC  15026:  A  Four-Part  Standard 


•  Planned  parts: 

15026-1:  Concepts  and  vocabulary  (initially  a  TR2 

and  then  revised  to  be  an  IS) 

15026-2:  Assurance  case  (including  planning  for  the 

assurance  case  itself) 

15026-3:  System  integrity  levels  (a  revision  of  the 

1998  standard) 

15026-4:  Assurance  in  the  life  cycle  (including 

project  planning  for  assurance 
considerations) 

•  Possible  additional  parts  as  demand  requires 
and  resources  permit,  e.g. 

Assurance  analyses  and  techniques 
MMng  Guidance  documents 

Security 

Measurable' 
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ISO/IEC  15026:  Systems  &  Software  Assurance 

15026  Part  2:  The  Assurance  Case  (Claims-Evidence-Argument) 


Claim 

♦  A 

I  Argument 
Evidence 
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ISO/IEC  15026:  Systems  &  Software  Assurance 

15026  Part  2:  The  Assurance  Case  fClaims-Evidence-Argument) 


ISO/IEC/IEEE  15026  Assurance  Case 


Set  of  structured  assurance  claims, 
supported  by  evidence  and  reasoning 
(arguments),  that  demonstrates  how 
assurance  needs  have  been  satisfied. 

-  Shows  compliance  with  assurance 
objectives 

-  Provides  an  argument  for  the  safety 
and  security  of  the  product  or  service. 

Built,  collected,  and  maintained 
throughout  the  life  cycle 

-  Derived  from  multiple  sources 


Sub-parts 

-  A  high  level  summary 

-  Justification  that  product  or 
service  is  acceptably  safe,  secure, 
or  dependable 

-  Rationale  for  claiming  a  specified 
level  of  safety  and  security 

-  Conformance  with  relevant 
standards  &  regulatory 
requirements 

-  The  configuration  baseline 

-  Identified  hazards  and  threats  and 
residual  risk  of  each  hazard  /  threat 

-  Operational  &  support 
assumptions 


Attributes 

□  Clear 

□  Consistent 

□  Complete 

□  Comprehensible 

□  Defensible 

□  Bounded 

□  Addresses  all  life  cycle  stages 
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Structured  Assurance  Case  Efforts  at  the  OMG 

•  There  are  efforts  underway  within  the  Object 
Management  Group  (OMG)  to  leverage  existing 
standards  and  develop  new  standards  for  specifying  ISO 
15026  structured  assurance  cases  in  such  a  way  that 
they  will  fully  support  automation 

-  Currently  working  to  integrate  two  draft  standards 
(the  Argumentation  Metamodel  (ARM)  and  the 
Software  Assurance  Evidence  Metamodel 
(SAEM))  into  a  single  standard  (Structured 
Assurance  Case  Metamodel  (SACM))  for 
structured  assurance  case  specification 

-  SACM  will  also  likely  leverage  the  existing  OMG 
Knowledge  Discovery  Metamodel  (KDM)  and 
Semantic  Business  Vocabulary  &  Rules  (SBVR) 
standards 
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Object  Management  Group  (OMG) 
Systems  Assurance  Task  Force 
Claims-Evidence-Arguments  Overview 
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Structured  Safety  Assurance  tools 
are  commercially  available 


>::■  ASCAD_training_simul_example_v05b.axml  -  ASCE  -  Assurance  and  Safety  Case  Environment 


File  Edit  View  Format  Tools  Windows  Help 

□  klal  oPT 


Unambiguous  specification  of  security  requirements 

along  with  clear  identification  of  what  evidence  will  be 

acceptable  to  prove  them 

-  Unambiguously  bound  scope  of  effort 

-  Focus  training  and  resource  management  on 
skills  that  are  actually  needed  for  a  given  context 

-  Acquire  the  appropriate  tools  and  services  that 
are  actually  needed  for  a  given  context 

-  Enable  Acquisition  to  clearly  communicate 
required  assurance  and  what  evidence  will  be 
required  along  with  the  delivered  product 

-  Guide  Security  Engineering 

-  Guide  Assurance  Analysis 

-  Guide  Testing 

-  Guide  Independent  Assessment  &  Evaluation 

-  Empower  accountability  and  liability 

Structured  Assurance  Cases  are  composable  and 

reusable 
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Common  Criteria  \ 
Development  Board 
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Common  Criteria  v4  CCDB 

•  TOE  to  leverage  CAPEC  &  CWE 

•  ISO/IEC  JTC  1/SC  7/WG  3,  TR  20004: 
“Refining  Software  Vulnerability 
Analysis  Under  ISO/IEC  15408  and 
ISO/IEC  18045” 

•Also  investigating  how  to  leverage 
ISO/IEC  15026  and  OMG’s  Structured 
Assurance  Case  Metamodel  (SACM) 

NIAP  (U.S.)  Evaluation  Scheme 

•  Above  plus 

•  Also  investigating  how  to 
leverage  SCAP 


Claim 


Justification 


Evidence 


Sub-Claim 


Assumption 


And  so  forth, 


©2011  MITRE 


Questions? 


'  Jk 


ramartin@mitre.or 


